Hostinger, which is based in Kaunas, Lithuania, says it discovered the breach on Thursday. It has cut off access to the system, according to a blog post on Sunday. The company says it has 29 million customers in 178 countries.

Token Allowed Privilege Escalation

The intruder gained access to a server that contained an authorization token, Hostinger says. That token was then used to escalate privileges and access a RESTful API Server, which is used to query client accounts.

The database contained hashed passwords - those that have been run through a one-way mathematical algorithm. That is the safest way to store passwords, but the security is also dependent upon what hashing algorithm is used.

Hostinger used SHA-1 to hash plain-text passwords, Jankus says. That algorithm is no longer considered appropriate to use because SHA-1 hashes are vulnerable to password cracking attempts. These days, organizations tend to use bcrypt, because it's more resistant to cracking. Jankus says Hostinger is now using SHA-2 to hash passwords.

"We decided to reset customers' passwords to eliminate even the slightest possibility of a breach of their account."— Daugirdas Jankus, Hostinger

The database contained client usernames, first names and IP addresses, Hostinger says. The company says that websites, domains and hosted emails are "untouched and unaffected."

Those who used so-called "social" logins, or authentication integrations with Google, Facebook and others, are unaffected, Hostinger says.

2FA Coming

The company doesn't offer two-factor verification, which would stop an attacker from using login details to compromise an account. But in answer to a question about the security incident, Jankus writes "we are planning to provide 2FA in the near future."

"The safest option is to use social logins (Google, Facebook or Github)," he writes. "Anyone using social logins does not need to change or even set their members area password."

Asked why Hostinger does not encrypt client data at rest, Jankus writes: "Some of the user data is not encrypted because it is shown in different places all over your member's are. If encrypted, it would be not possible to decrypt it and show it on your member's area. However, we have assembled a team of internal and external experts to investigate the origin of the incident and increase security measures of all Hostinger operations, so that similar issues would not happen in the future."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.